Can a backscan be forced?
Yes, there is a way to force the initial breach assessment or backscan on a Stairwell forwarder. Typically the only reason to force a backscan is if the initial backscan was skipped, however regardless of if a backscan was ever performed it can be forced to be ran again.
Windows
- Stop the Stairwell Service
- Update registry keys
HKLM\Software\Stairwell\SwellService\
orHKLM\Software\Stairwell\Inception\
- Restart the Stairwell service
@echo on
sc.exe stop StairwellForwarder
reg.exe add HKLM\Software\Stairwell\SwellService /v FullVolumeScan /t REG_DWORD /d 1 /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanStatus /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanComplete /f
reg.exe delete HKLM\SOFTWARE\Stairwell\SwellService /v BackscanStarted /f
sc.exe start StairwellForwarder
sc.exe query StairwellForwarder
@echo on
sc.exe stop InceptionForwarder
reg.exe add HKLM\Software\Stairwell\Inception /v FullVolumeScan /t REG_DWORD /d 1 /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanStatus /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanComplete /f
reg.exe delete HKLM\SOFTWARE\Stairwell\Inception /v BackscanStarted /f
sc.exe start InceptionForwarder
sc.exe query InceptionForwarder
Linux
- Stop the Stairwell Service
- Remove the backscan file
/var/lib/stairwell/scansession.json
- Start the Stairwell service
systemctl stop stairwell
rm /var/lib/stairwell/scansession.json
systemctl start stairwell
Mac
- Delete Keychain entries for backscans
sudo security delete-generic-password -a FullDiskScanState
sudo security delete-generic-password -a FullScanStatus
- Reload the forwarder
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder uninstall-extension
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder install-extension
Updated 25 days ago